Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2020-25025

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-02 Sep, 2020 | 16:19
Updated At-04 Aug, 2024 | 15:26
Rejected At-
Credits

The l10nmgr (aka Localization Manager) extension before 7.4.0, 8.x before 8.7.0, and 9.x before 9.2.0 for TYPO3 allows Information Disclosure (translatable fields).

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:02 Sep, 2020 | 16:19
Updated At:04 Aug, 2024 | 15:26
Rejected At:
▼CVE Numbering Authority (CNA)

The l10nmgr (aka Localization Manager) extension before 7.4.0, 8.x before 8.7.0, and 9.x before 9.2.0 for TYPO3 allows Information Disclosure (translatable fields).

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://typo3.org/help/security-advisories
x_refsource_MISC
https://typo3.org/security/advisory/typo3-ext-sa-2020-016
x_refsource_CONFIRM
Hyperlink: https://typo3.org/help/security-advisories
Resource:
x_refsource_MISC
Hyperlink: https://typo3.org/security/advisory/typo3-ext-sa-2020-016
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://typo3.org/help/security-advisories
x_refsource_MISC
x_transferred
https://typo3.org/security/advisory/typo3-ext-sa-2020-016
x_refsource_CONFIRM
x_transferred
Hyperlink: https://typo3.org/help/security-advisories
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://typo3.org/security/advisory/typo3-ext-sa-2020-016
Resource:
x_refsource_CONFIRM
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:02 Sep, 2020 | 17:15
Updated At:21 Jul, 2021 | 11:39

The l10nmgr (aka Localization Manager) extension before 7.4.0, 8.x before 8.7.0, and 9.x before 9.2.0 for TYPO3 allows Information Disclosure (translatable fields).

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary2.04.0MEDIUM
AV:N/AC:L/Au:S/C:P/I:N/A:N
Type: Primary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Type: Primary
Version: 2.0
Base score: 4.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:S/C:P/I:N/A:N
CPE Matches

localization_manager_project
localization_manager_project
>>localization_manager>>Versions before 7.4.0(exclusive)
cpe:2.3:a:localization_manager_project:localization_manager:*:*:*:*:*:typo3:*:*
localization_manager_project
localization_manager_project
>>localization_manager>>Versions from 8.0.0(inclusive) to 8.7.0(exclusive)
cpe:2.3:a:localization_manager_project:localization_manager:*:*:*:*:*:typo3:*:*
localization_manager_project
localization_manager_project
>>localization_manager>>Versions from 9.0.0(inclusive) to 9.2.0(exclusive)
cpe:2.3:a:localization_manager_project:localization_manager:*:*:*:*:*:typo3:*:*
Weaknesses
CWE IDTypeSource
CWE-863Primarynvd@nist.gov
CWE ID: CWE-863
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://typo3.org/help/security-advisoriescve@mitre.org
Vendor Advisory
https://typo3.org/security/advisory/typo3-ext-sa-2020-016cve@mitre.org
Patch
Vendor Advisory
Hyperlink: https://typo3.org/help/security-advisories
Source: cve@mitre.org
Resource:
Vendor Advisory
Hyperlink: https://typo3.org/security/advisory/typo3-ext-sa-2020-016
Source: cve@mitre.org
Resource:
Patch
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

289Records found

CVE-2025-2564
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.60%
||
7 Day CHG~0.00%
Published-16 Apr, 2025 | 16:12
Updated-29 Sep, 2025 | 21:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthorized View Access to Archived Channel Member Info

Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to properly enforce the 'Allow users to view/update archived channels' System Console setting, which allows authenticated users to view members and member information of archived channels even when this setting is disabled.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-24526
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.27% / 18.92%
||
7 Day CHG~0.00%
Published-24 Feb, 2025 | 07:23
Updated-01 Oct, 2025 | 18:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Channel export permitted on archived channel when viewing archived channels is disabled

Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived channels" is disabled which allows a user to export channel contents when they shouldn't have access to it

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-24872
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 14.95%
||
7 Day CHG~0.00%
Published-11 Feb, 2025 | 00:37
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization check in SAP ABAP Platform (ABAP Build Framework)

The ABAP Build Framework in SAP ABAP Platform allows an authenticated attacker to gain unauthorized access to a specific transaction. By executing the add-on build functionality within the ABAP Build Framework, an attacker could call the transaction and view its details. This has a limited impact on the confidentiality of the application with no effect on the integrity and availability of the application.

Action-Not Available
Vendor-SAP SE
Product-SAP ABAP Platform (ABAP Build Framework)
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-2424
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-3.1||LOW
EPSS-0.21% / 10.79%
||
7 Day CHG~0.00%
Published-14 Apr, 2025 | 14:49
Updated-01 Oct, 2025 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Leaked Metadata of Deleted Files via Bookmark Creation

Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an attacker who knows the IDs of deleted files to obtain metadata of the files via bookmark creation.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-24421
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-4.3||MEDIUM
EPSS-0.51% / 39.48%
||
7 Day CHG~0.00%
Published-11 Feb, 2025 | 17:37
Updated-17 Apr, 2025 | 15:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Adobe Commerce | Incorrect Authorization (CWE-863)

Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this vulnerability to read select data. Exploitation of this issue does not require user interaction

Action-Not Available
Vendor-Adobe Inc.
Product-commercecommerce_b2bmagentoAdobe Commerce
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-24869
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 14.45%
||
7 Day CHG~0.00%
Published-11 Feb, 2025 | 00:36
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information Disclosure vulnerability in SAP NetWeaver Application Server Java

SAP NetWeaver Application Server Java allows an attacker to access an endpoint that can disclose information about deployed server components, including their XML definitions. This information should ideally be restricted to customer administrators, even though they may not need it. These XML files are not entirely SAP-internal as they are deployed with the server. In such a scenario, sensitive information could be exposed without compromising its integrity or availability.

Action-Not Available
Vendor-SAP SE
Product-SAP NetWeaver Application Server Java
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-9791
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 11.80%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 03:27
Updated-26 Jun, 2026 | 08:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak-rhel9: organization data leak after feature disabled in keycloak

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers.

Action-Not Available
Vendor-Red Hat, Inc.
Product-build_of_keycloakRed Hat build of Keycloak 26.4Red Hat build of Keycloak 26.6.3Red Hat build of Keycloak 26.6Red Hat build of Keycloak 26.4.13
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-9807
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 9.20%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 07:34
Updated-29 May, 2026 | 16:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed a blocked Project Access Token to continue accessing private resources due to incorrect authorization enforcement.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-25026
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.25% / 16.12%
||
7 Day CHG~0.00%
Published-28 May, 2025 | 01:11
Updated-28 Aug, 2025 | 14:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Security Guardium information disclosure

IBM Security Guardium 12.0 could allow an authenticated user to obtain sensitive information due to an incorrect authentication check.

Action-Not Available
Vendor-IBM Corporation
Product-Security Guardium
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-24436
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-4.3||MEDIUM
EPSS-0.51% / 39.48%
||
7 Day CHG~0.00%
Published-11 Feb, 2025 | 17:37
Updated-16 Apr, 2025 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Adobe Commerce | Incorrect Authorization (CWE-863)

Adobe Commerce versions 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, 2.4.8-beta1 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this vulnerability to view select information. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Adobe Inc.
Product-magentocommercecommerce_b2bAdobe Commerce
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-24397
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 20.61%
||
7 Day CHG~0.00%
Published-22 Jan, 2025 | 17:02
Updated-03 Oct, 2025 | 00:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-gitlabJenkins GitLab Plugin
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-24460
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-4.3||MEDIUM
EPSS-0.26% / 17.42%
||
7 Day CHG~0.00%
Published-21 Jan, 2025 | 17:23
Updated-30 Jan, 2025 | 21:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2024.12.1 improper access control allowed to see Projects’ names in the agent pool

Action-Not Available
Vendor-JetBrains s.r.o.
Product-teamcityTeamCity
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-9048
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 5.86%
||
7 Day CHG~0.00%
Published-01 Jun, 2026 | 23:28
Updated-02 Jun, 2026 | 13:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Slider Revolution 7.0.0 - 7.0.14 - Incorrect Authorization to Authenticated (Contributor+) Sensitive Information Exposure

The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Exposure in versions 7.0.0 - 7.0.14, via the 'slider.get.full' AJAX Action. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including raw social media API credentials: the Instagram OAuth token, Flickr API key, YouTube Data API key, and Facebook App ID, stored in any configured slider's settings.

Action-Not Available
Vendor-Revolution Slider
Product-Slider Revolution
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-23419
Matching Score-4
Assigner-F5, Inc.
ShareView Details
Matching Score-4
Assigner-F5, Inc.
CVSS Score-5.3||MEDIUM
EPSS-2.56% / 83.17%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 17:31
Updated-27 Jan, 2026 | 13:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TLS Session Resumption Vulnerability

When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Action-Not Available
Vendor-Debian GNU/LinuxF5, Inc.
Product-nginx_plusnginxdebian_linuxNGINX PlusNGINX Open Source
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-28053
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-1.38% / 68.77%
||
7 Day CHG~0.00%
Published-23 Nov, 2020 | 13:11
Updated-04 Aug, 2024 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6.

Action-Not Available
Vendor-n/aHashiCorp, Inc.
Product-consuln/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2014-0169
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.78% / 51.32%
||
7 Day CHG~0.00%
Published-02 Jan, 2020 | 19:09
Updated-06 Aug, 2024 | 09:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JBoss EAP 6 a security domain is configured to use a cache that is shared between all applications that are in the security domain. This could allow an authenticated user in one application to access protected resources in another application without proper authorization. Although this is an intended functionality, it was not clearly documented which can mislead users into thinking that a security domain cache is isolated to a single application.

Action-Not Available
Vendor-Red Hat, Inc.
Product-jboss_enterprise_application_platformJBoss EAP
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-26223
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-1.11% / 61.94%
||
7 Day CHG~0.00%
Published-13 Nov, 2020 | 17:25
Updated-04 Aug, 2024 | 15:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authorization bypass in Spree

Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and before versions 3.7.13, 4.0.5, and 4.1.12, there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Order token. This is patched in versions 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected.

Action-Not Available
Vendor-spreecommercespree
Product-spreespree
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-21562
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-4.3||MEDIUM
EPSS-0.32% / 24.03%
||
7 Day CHG~0.00%
Published-21 Jan, 2025 | 20:53
Updated-29 Apr, 2025 | 20:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the PeopleSoft Enterprise CC Common Application Objects product of Oracle PeopleSoft (component: Run Control Management). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise CC Common Application Objects. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise CC Common Application Objects accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

Action-Not Available
Vendor-Oracle Corporation
Product-peoplesoft_enterprise_cc_common_application_objectsPeopleSoft Enterprise CC Common Application Objects
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-25655
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5.7||MEDIUM
EPSS-0.60% / 44.44%
||
7 Day CHG~0.00%
Published-09 Nov, 2020 | 14:38
Updated-04 Aug, 2024 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in ManagedClusterView API, that could allow secrets to be disclosed to users without the correct permissions. Views created for an admin user would be made available for a short time to users with only view permission. In this short time window the user with view permission could read cluster secrets that should only be disclosed to admin users.

Action-Not Available
Vendor-Red Hat, Inc.
Product-advanced_cluster_management_for_kubernetesopen-cluster-management
CWE ID-CWE-863
Incorrect Authorization
CVE-2013-4411
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-1.35% / 68.19%
||
7 Day CHG~0.00%
Published-03 Dec, 2019 | 14:39
Updated-06 Aug, 2024 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Review Board: URL processing gives unauthorized users access to review lists

Action-Not Available
Vendor-reviewboardReview BoardFedora Project
Product-reviewboardfedoraReview Board
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-2188
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.65% / 46.53%
||
7 Day CHG~0.00%
Published-06 May, 2020 | 12:45
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Amazon EC2 Plugin 1.50.1 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-amazon_ec2Jenkins Amazon EC2 Plugin
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-6343
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 6.07%
||
7 Day CHG~0.00%
Published-18 May, 2026 | 08:32
Updated-18 May, 2026 | 19:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mattermost Playbooks Plugin fails to enforce view permissions in list endpoints, allowing unauthorized access to public playbooks

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-42724
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.45% / 35.71%
||
7 Day CHG~0.00%
Published-10 Oct, 2022 | 00:00
Updated-23 Jun, 2026 | 13:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

app/Controller/UsersController.php in MISP before 2.4.164 allows attackers to discover role names (this is information that only the site admin should have).

Action-Not Available
Vendor-misp-projectn/a
Product-mispn/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-20332
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.37% / 28.85%
||
7 Day CHG~0.00%
Published-06 Aug, 2025 | 16:14
Updated-06 Aug, 2025 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Identity Services Engine Authorization Bypass Vulnerability

A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to modify parts of the configuration on an affected device. This vulnerability is due to the lack of server-side validation of Administrator permissions. An attacker could exploit this vulnerability by submitting a crafted HTTP request to an affected system. A successful exploit could allow the attacker to modify descriptions of files on a specific page. To exploit this vulnerability, an attacker would need valid read-only Administrator&nbsp;credentials.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-Cisco Identity Services Engine Software
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-41944
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-3.5||LOW
EPSS-0.45% / 35.91%
||
7 Day CHG~0.00%
Published-28 Nov, 2022 | 00:00
Updated-23 Apr, 2025 | 16:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse users can see notifications for topics they no longer have access to

Discourse is an open-source discussion platform. In stable versions prior to 2.8.12 and beta or tests-passed versions prior to 2.9.0.beta.13, under certain conditions, a user can see notifications for topics they no longer have access to. If there is sensitive information in the topic title, it will therefore have been exposed. This issue is patched in stable version 2.8.12, beta version 2.9.0.beta13, and tests-passed version 2.9.0.beta13. There are no workarounds available.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-5796
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 9.17%
||
7 Day CHG~0.00%
Published-25 Jun, 2026 | 04:34
Updated-26 Jun, 2026 | 18:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with Reporter-level group permissions to view package metadata from projects with the Package Registry disabled due to incorrect authorization checks in the group packages feature.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-2104
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-1.07% / 60.87%
||
7 Day CHG~0.00%
Published-29 Jan, 2020 | 15:15
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier allowed users with Overall/Read access to view a JVM memory usage chart.

Action-Not Available
Vendor-Jenkins
Product-jenkinsJenkins
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-42351
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-4.3||MEDIUM
EPSS-0.92% / 55.96%
||
7 Day CHG~0.00%
Published-19 Dec, 2022 | 10:00
Updated-23 Apr, 2025 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AEM Incorrect Authorization Security feature bypass

Adobe Experience Manager version 6.5.14 (and earlier) is affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to disclose low level confidentiality information. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Adobe Inc.
Product-experience_manager_cloud_serviceexperience_managerExperience Manager
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-15288
Matching Score-4
Assigner-3938794e-25f5-4123-a1ba-5cbd7f104512
ShareView Details
Matching Score-4
Assigner-3938794e-25f5-4123-a1ba-5cbd7f104512
CVSS Score-3.1||LOW
EPSS-0.22% / 13.05%
||
7 Day CHG~0.00%
Published-29 Jan, 2026 | 20:10
Updated-09 Mar, 2026 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tanium addressed an improper access controls vulnerability in Interact.

Tanium addressed an improper access controls vulnerability in Interact.

Action-Not Available
Vendor-taniumTanium
Product-interactInteract
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-15322
Matching Score-4
Assigner-3938794e-25f5-4123-a1ba-5cbd7f104512
ShareView Details
Matching Score-4
Assigner-3938794e-25f5-4123-a1ba-5cbd7f104512
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 15.45%
||
7 Day CHG~0.00%
Published-30 Jan, 2026 | 00:20
Updated-09 Mar, 2026 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tanium addressed an improper access controls vulnerability in Tanium Server.

Tanium addressed an improper access controls vulnerability in Tanium Server.

Action-Not Available
Vendor-taniumTanium
Product-serverTanium Server
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-1472
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 14.10%
||
7 Day CHG~0.00%
Published-19 Mar, 2025 | 14:11
Updated-01 Oct, 2025 | 18:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthorized View Access to Site Statistics and Team Statistics

Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-1501
Matching Score-4
Assigner-Nozomi Networks Inc.
ShareView Details
Matching Score-4
Assigner-Nozomi Networks Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 9.06%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 10:25
Updated-26 Aug, 2025 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect authorization for traces request/download in CMC before 25.1.0

An access control vulnerability was discovered in the Request Trace and Download Trace functionalities of CMC before 25.1.0 due to a specific access restriction not being properly enforced for users with limited privileges. An authenticated user with limited privileges can request and download trace files due to improper access restrictions, potentially exposing unauthorized network data.

Action-Not Available
Vendor-Nozomi Networks
Product-CMC
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-14318
Matching Score-4
Assigner-M-Files Corporation
ShareView Details
Matching Score-4
Assigner-M-Files Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.28% / 19.53%
||
7 Day CHG~0.00%
Published-18 Dec, 2025 | 07:32
Updated-23 Feb, 2026 | 11:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper access validation in M-Files Server

Improper access checks in M-Files Server before 25.12.15491.7 allows users to download files through M-Files Web using Web Companion despite Print and Download Prevention module being enabled.

Action-Not Available
Vendor-M-Files Oy
Product-m-files_serverM-Files Server
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-14943
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 9.17%
||
7 Day CHG~0.00%
Published-10 Jan, 2026 | 06:32
Updated-08 Apr, 2026 | 17:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Blog2Social: Social Media Auto Post & Scheduler <= 8.7.2 - Incorrect Authorization to Authenticated (Subscriber+) Sensitive Information Exposure

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.7.2. This is due to a misconfigured authorization check on the 'getShipItemFullText' function which only verifies that a user has the 'read' capability (Subscriber-level) and a valid nonce, but fails to verify whether the user has permission to access the specific post being requested. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract data from password-protected, private, or draft posts.

Action-Not Available
Vendor-pr-gateway
Product-Blog2Social: Social Media Auto Post & Scheduler
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-13653
Matching Score-4
Assigner-floragunn GmbH
ShareView Details
Matching Score-4
Assigner-floragunn GmbH
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 7.13%
||
7 Day CHG+0.01%
Published-01 Dec, 2025 | 18:02
Updated-02 Dec, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthorized access to documents in data streams with specially crafted requests

In Search Guard FLX versions from 3.1.0 up to 4.0.0 with enterprise modules being disabled, there exists an issue which allows authenticated users to use specially crafted requests to read documents from data streams without having the respective privileges.

Action-Not Available
Vendor-floragunn
Product-Search Guard FLX
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-13767
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 6.07%
||
7 Day CHG~0.00%
Published-24 Dec, 2025 | 08:01
Updated-31 Dec, 2025 | 18:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthorized Read Access to Private Channel Posts via Mattermost Jira Plugin

Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-12555
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 15.32%
||
7 Day CHG~0.00%
Published-11 Mar, 2026 | 16:07
Updated-13 Mar, 2026 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that, under certain conditions, could have allowed an authenticated user to access previous pipeline job information on projects with repository and CI/CD disabled due to improper authorization checks.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-12924
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.30% / 22.12%
||
7 Day CHG+0.01%
Published-10 Nov, 2025 | 01:02
Updated-24 Feb, 2026 | 07:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
rymcu forest BankController.java GlobalResult authorization

A vulnerability was identified in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224. This issue affects the function GlobalResult of the file src/main/java/com/rymcu/forest/web/api/bank/BankController.java. The manipulation leads to missing authorization. The attack may be initiated remotely. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available.

Action-Not Available
Vendor-rymcurymcu
Product-forestforest
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-1110
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-2.7||LOW
EPSS-0.28% / 19.95%
||
7 Day CHG+0.01%
Published-22 May, 2025 | 14:02
Updated-29 May, 2025 | 15:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insufficient Granularity of Access Control in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1. In certain circumstances, a user with limited permissions could access Job Data via a crafted GraphQL query.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-1220
Insufficient Granularity of Access Control
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-11239
Matching Score-4
Assigner-KNIME AG
ShareView Details
Matching Score-4
Assigner-KNIME AG
CVSS Score-2.3||LOW
EPSS-0.19% / 9.27%
||
7 Day CHG+0.01%
Published-02 Oct, 2025 | 12:23
Updated-08 Oct, 2025 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Job details are visible to all team members on KNIME Business Hub

Potentially sensitive information in jobs on KNIME Business Hub prior to 1.16.0 were visible to all members of the user's team. Starting with KNIME Business Hub 1.16.0 only metadata of jobs is shown to team members. Only the creator of a job can see all information including in- and output data (if present).

Action-Not Available
Vendor-knimeKNIME
Product-business_hubKNIME Business Hub
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-5377
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.26% / 17.15%
||
7 Day CHG+0.04%
Published-22 Apr, 2026 | 16:04
Updated-23 Apr, 2026 | 20:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that could have allowed an authenticated user to access titles of confidential or private issues in public projects due to improper access control in the issue description rendering process.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-11439
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.32% / 23.57%
||
7 Day CHG~0.00%
Published-08 Oct, 2025 | 06:32
Updated-09 Oct, 2025 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JhumanJ OpnForm integrations authorization

A vulnerability was found in JhumanJ OpnForm up to 1.9.3. This issue affects some unknown processing of the file /show/integrations. Performing manipulation results in missing authorization. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The patch is named 11d97d78f2de2cb49f79baed6bde8b611ec1f384. It is recommended to apply a patch to fix this issue.

Action-Not Available
Vendor-jhumanjJhumanJ
Product-opnformOpnForm
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-11776
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 6.82%
||
7 Day CHG~0.00%
Published-14 Nov, 2025 | 07:58
Updated-17 Nov, 2025 | 17:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Guest user can discover archived public channels

Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-11777
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-3.1||LOW
EPSS-0.16% / 5.77%
||
7 Day CHG~0.00%
Published-13 Nov, 2025 | 17:32
Updated-17 Nov, 2025 | 18:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-team channel membership access

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-10545
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-3.1||LOW
EPSS-0.31% / 22.37%
||
7 Day CHG~0.00%
Published-16 Oct, 2025 | 08:24
Updated-21 Oct, 2025 | 18:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Guest user can add unauthorized team users to private channels

Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-27761
Matching Score-4
Assigner-Gitea Limited
ShareView Details
Matching Score-4
Assigner-Gitea Limited
CVSS Score-4.3||MEDIUM
EPSS-Not Assigned
Published-03 Jul, 2026 | 20:19
Updated-03 Jul, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea repository feeds bypass API token scope enforcement

Gitea versions up to and including 1.26.2 allow repository RSS and Atom feed endpoints to bypass API access token scope checks, exposing private repository commit data to tokens without the required repository scope.

Action-Not Available
Vendor-Gitea
Product-Gitea Open Source Git Server
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-9926
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-1.15% / 62.93%
||
7 Day CHG~0.00%
Published-07 Nov, 2024 | 15:02
Updated-28 May, 2025 | 20:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jetpack < 13.9.1 - Subscriber+ Arbitrary Feedback Access

The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack Contact Form

Action-Not Available
Vendor-UnknownAutomattic Inc.
Product-jetpackJetpackjetpack
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-0765
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 27.64%
||
7 Day CHG~0.00%
Published-24 Jul, 2025 | 06:33
Updated-08 Aug, 2025 | 18:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed an unauthorized user to access custom service desk email addresses.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-9155
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.26% / 17.28%
||
7 Day CHG+0.01%
Published-26 Sep, 2024 | 14:57
Updated-29 Sep, 2025 | 13:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insufficient Authorization On Unlinked Channel Files

Mattermost versions 9.10.x <= 9.10.1, 9.9.x <= 9.9.2, 9.5.x <= 9.5.8 fail to limit access to channels files that have not been linked to a post which allows an attacker to view them in channels that they are a member of.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-8974
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-2.6||LOW
EPSS-0.28% / 19.35%
||
7 Day CHG+0.01%
Published-26 Sep, 2024 | 23:02
Updated-04 Oct, 2024 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Provision of Specified Functionality in GitLab

Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 in specific conditions it was possible to disclose to an unauthorised user the path of a private project."

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-684
Incorrect Provision of Specified Functionality
CWE ID-CWE-863
Incorrect Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • Next
Details not found